diff options
| author | jsing <> | 2020-05-26 16:54:50 +0000 |
|---|---|---|
| committer | jsing <> | 2020-05-26 16:54:50 +0000 |
| commit | dc1caebca4d325d1d05fc082722782a2d2374cd6 (patch) | |
| tree | 199db32feb72da8962e82bfd9ea8c59ddb36bd6c /src | |
| parent | f11256d96dcd0d3a8ffb2a69809876112aff58d0 (diff) | |
| download | openbsd-dc1caebca4d325d1d05fc082722782a2d2374cd6.tar.gz openbsd-dc1caebca4d325d1d05fc082722782a2d2374cd6.tar.bz2 openbsd-dc1caebca4d325d1d05fc082722782a2d2374cd6.zip | |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/tls13_record_layer.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c index 658a6d6a9e..70c440fee0 100644 --- a/src/lib/libssl/tls13_record_layer.c +++ b/src/lib/libssl/tls13_record_layer.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_record_layer.c,v 1.45 2020/05/23 11:57:41 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_record_layer.c,v 1.46 2020/05/26 16:54:50 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -548,6 +548,9 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) | |||
| 548 | CBS_data(&header), CBS_len(&header))) | 548 | CBS_data(&header), CBS_len(&header))) |
| 549 | goto err; | 549 | goto err; |
| 550 | 550 | ||
| 551 | if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) | ||
| 552 | goto err; | ||
| 553 | |||
| 551 | if (!tls13_record_layer_inc_seq_num(rl->read_seq_num)) | 554 | if (!tls13_record_layer_inc_seq_num(rl->read_seq_num)) |
| 552 | goto err; | 555 | goto err; |
| 553 | 556 | ||
| @@ -562,6 +565,8 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) | |||
| 562 | content_len--; | 565 | content_len--; |
| 563 | if (content_len < 0) | 566 | if (content_len < 0) |
| 564 | goto err; | 567 | goto err; |
| 568 | if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) | ||
| 569 | goto err; | ||
| 565 | content_type = content[content_len]; | 570 | content_type = content[content_len]; |
| 566 | 571 | ||
| 567 | tls13_record_layer_rbuf_free(rl); | 572 | tls13_record_layer_rbuf_free(rl); |